Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation

GHSA-h24p-qwf4-84q8 · CVE-2017-7669

Published May 17, 2022 · Modified Nov 8, 2023

Description

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-7669
WEB https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E
WEB http://www.securityfocus.com/bid/98795

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes